Skip to main content
Governance SDKv0.6.2

Article 12 binding 2026-08-02107 days from 2026-04-17

EU AI Act Article 12 — Compliance for AI Agent Deployments

Article 12 of Regulation (EU) 2024/1689 requires providers and deployers of high-risk AI systems to generate automatic logs of system operation. Code Atelier Governance is a Python SDK that writes HMAC-chained, append-only audit rows to your existing Postgres and produces a signed evidence bundle your compliance officer can hand to a regulator.

What Article 12 actually requires

The primary source is Regulation (EU) 2024/1689, Article 12. Operative text of the article requires automatic recording of events (“logs”) over the lifetime of the high-risk AI system. The frequently-cited phrase “appropriate to the intended purpose” about retention length appears in the regulation’s recitals, not in the operative Article 12 text — we flag this distinction below so you don’t quote recital language as if it were an operative duty.

TODO — publish blocker

Verbatim operative text of Article 12(1)–(3) is pending verification in the primary-sources registry (row #1, deadline 2026-04-24). This placeholder MUST be replaced with the verbatim quote from EUR-Lex before publish. Current retrieval status: PENDING-2026-04-24.

Source: EUR-Lex Regulation (EU) 2024/1689, Article 12. Retrieved: PENDING-2026-04-24.

Where Code Atelier Governance maps to Article 12

Each bullet separates what Article 12 requires from what our SDK provides. We never conflate the two.

  • 1. Automatic event logging

    Article 12 requires: the system generates logs automatically during operation. Our SDK provides: every governance-gated action (audit.log, scope.check, cost.track_usage, gates) writes a row to the audit table without application code having to emit logs separately. See Audit Module.

  • 2. Traceability of outputs to inputs

    Article 12 requires: logs enable tracing the system's functioning. Our SDK provides: step-level provenance IDs (session_id, agent_id, parent_event_id) on every row — see API reference.

  • 3. Integrity of logs

    Article 12 requires: logs suited to their compliance purpose (implicitly, non-repudiation). Our SDK provides:HMAC-SHA256 chain plus Ed25519 per-row signing (v0.6+). Tamper-evidence goes beyond the law’s letter.

  • 4. Retention

    Article 12 requires: retention period “appropriate to the intended purpose” (recital language). Our SDK provides: append-only Postgres rows — you decide and document the retention window. We do not auto-delete.

  • 5. Auditor access

    Article 12 requires: logs are accessible to competent authorities on request. Our SDK provides: the console exports a signed evidence bundle (CSV + HMAC verification transcript). See Console.

  • 6. Identification of incidents and malfunctions

    Article 12 requires: logs support incident identification. Our SDK provides: deny events, halt events, loop-detection breaker fires, and HITL approval/denial tokens are all first-class audit rows with distinct kind values.

  • 7. Periodic monitoring

    Article 12 requires: logs support post-market monitoring (Article 72 reads on this). Our SDK provides:agent presence heartbeat rows + the console's compliance view roll audit data into a seven-section Article 12 evidence report.

What the SDK does not assert

Code Atelier Governance provides evidence for SDK-observable actions. It does not assert, warrant, or certify:

  • Deployment-level compliance with the EU AI Act as a whole.
  • Organisational compliance (conformity assessments, quality management systems, technical documentation — Articles 8, 11, 17).
  • Process compliance (human oversight training, incident-response procedures, post-market monitoring plans).
  • Actions that occur outside the SDK’s gates. If your agent calls a tool without routing through sdk.scope.check, the SDK cannot log what it did not see.

The SDK produces evidence; the rest is the customer’s responsibility.

Evidence-export walkthrough

  1. Go to the governance console.
  2. Open the Compliance page.
  3. Click Verify HMAC chain. The console walks the audit table row-by-row and either returns “chain intact” or the first row whose HMAC does not match.
  4. Click Download signed Article 12 bundle. You get a CSV of audit rows plus a verification transcript stamped with the Ed25519 signature.
  5. Hand the bundle to your regulator or internal auditor. They can re-verify using the published public key.

Screenshot — pending asset

Governance console, Compliance page. Top-left: the seven-section Article 12 status panel (six compliant, one partial with inline remediation text). Top-right: “Verify HMAC chain” button with green check and row-count. Bottom: “Download signed Article 12 bundle” button with file-size readout.

Auditor checklist (printable)

What the customer hands to their regulator. Print this page (browser Cmd/Ctrl + P) — the checklist is plain markup that renders cleanly without background colours.

  • [ ] Audit rows exist for the full audit period (provider-documented retention window).
  • [ ] HMAC chain verifies end-to-end with no broken rows.
  • [ ] Ed25519 signature on evidence bundle verifies against the published public key.
  • [ ] Every agent deployment has a registered ScopePolicy — default-deny confirmed for unknown agents.
  • [ ] Every high-risk action is gated by an HITL approval token with operator identity captured.
  • [ ] Budget-cap denial events are logged as rows with kind="budget.deny".
  • [ ] Loop-detection circuit-breaker fires are logged as rows with kind="loop.halt".
  • [ ] Agent presence heartbeats cover the operational window.
  • [ ] Incident-response runbook references the audit table and the signed-bundle export.